image
The Russian-speaking group behind the infamous RTM banking trojan is now packing a trifecta of threats as it turns up the heat – part of a massive new money-grab campaign. Beyond the banking malware it is known for, attackers have enlisted a recently-discovered ransomware family called Quoter as part of a new double-extortion cyberattack strategy. The triple-threat attack, which started its “active phase” in December 2020 and is ongoing, has hit at least ten Russian organizations in the transport and finance sectors via malicious email messages, according to Kaspersky in a report released this week. Should the money-stealing tactics of RTM group’s hallmark Trojan-Banker.Win32.RTM payload fail, the attackers have a backup plan. Plan “B” is deploy a never-before-seen ransomware family, which researchers are calling Quoter. The name Quoter is derived from the fact the ransomware code embeds quotes from popular movies. Next, if attackers hit a brick wall, they try to extort money from victims, threatening that they will release breached data stolen from the targets if they don’t pay up. “What’s remarkable about this story is the evolution of the group behind the RTM ransomware,” according to a translation of Kaspersky’s research report. They said the group has gone far beyond its tried-and-true methods of “making money” – via extortion and doxing. They added, it’s unusual for Russian-speaking cybercriminals to attack organizations in Russia, although, the ransomware is also…

Source

image
Researchers have spotted malicious packages targeting internal applications for Amazon, Lyft, Slack and Zillow (among others) inside the npm public code repository — all of which exfiltrate sensitive information. The packages weaponize a proof-of-concept (PoC) code dependency-confusion exploit that was recently devised by security researcher Alex Birsan to inject rogue code into developer projects. Internal developer projects typically use standard, trusted code dependencies that are housed in private repositories. Birsan decided to see what would happen if he created “copycat” packages to be housed instead in public repositories like npm, with the same names as the private legitimate code dependencies. “Is it possible that some of PayPal’s internal projects will start defaulting to the new public packages instead of the private ones?” he asked. And the answer was yes. Dependency Confusion Gains Swarms of Copycat Fans In Birsan’s case, he tested this “dependency confusion” using benign PoC code blocks. These were uploaded to public repositories – and he simply sat back and waited to see if they would be imported. His hunch proved correct, demonstrating how outside code can be imported and propagated through a targeted company’s internal applications and systems, with relative ease — including at Apple, Microsoft, Netflix, PayPal, Shopify, Tesla and Uber. In all, he received more than $130,000 in bug bounties and pre-approved financial arrangements with targeted…

Source

image
Microsoft has spotted multiple zero-day exploits in the wild being used to attack on-premises versions of Microsoft Exchange Server. Adversaries have been able to access email accounts, steal a raft of data and drop malware on target machines for long-term remote access, according to the computing giant. The attacks are “limited and targeted,” according to Microsoft, spurring it to release out-of-band patches this week. The exploited bugs are being tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065. However, other researchers have reported seeing the activity compromising mass swathes of victim organizations. “The team is seeing organizations of all shapes and sizes affected, including electricity companies, local/county governments, healthcare providers and banks/financial institutions, as well as small hotels, multiple senior citizen communities and other mid-market businesses,” a spokesperson at Huntress told Threatpost. The culprit is believed to be an advanced persistent threat (APT) group known as Hafnium (also the name of a chemical element), which has a history of targeting assets in the United States with cyber-espionage campaigns. Targets in the past have included defense contractors, infectious disease researchers, law firms, non-governmental organizations (NGOs), policy think tanks and universities. “Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to Hafnium, a group assessed to be…

Source

image
The cyberattack that hit Universal Health Services (UHS) in September has cost the healthcare service provider a whopping $67 million in damages, according to financial statements. A fourth-quarter earnings report last week from UHS highlighted the “significant incremental labor expense” needed to restore IT operations after the incident. UHS said that administrative functions – like billing – were also delayed, which had a “negative impact” on its operating cash flows in the fourth quarter. “As a result of these factors, we estimate that this incident had an aggregate unfavorable pre-tax impact of approximately $67 million during the year ended December 31, 2020,” according to the UHS earnings report. When it first occurred, the cyberattack disrupted various IT applications utilized by the Fortune-500 company, which is one of the nation’s largest hospital management firms. Throughout October, UHS said it worked to “substantially restore” these applications and its facilities “generally” resumed eventually. “We estimate that approximately $12 million of the unfavorable pre-tax impact was experienced during the third quarter of 2020, and approximately $55 million was experienced during the fourth quarter of 2020,” the report said. UHS Cyberattack: Breaking Down the Financial Damages While UHS didn’t mention what kind of attack it suffered, reports pointed to the Ryuk ransomware as the culprit. However, there was no mention of ransomware – or losses incurred from a paid…

Source

image
Microsoft Corp. today released software updates to plug four security holes that attackers have been using to plunder email communications at companies that use its Exchange Server products. The company says all four flaws are being actively exploited as part of a complex attack chain deployed by a previously unidentified Chinese cyber espionage group. The software giant typically releases security updates on the second Tuesday of each month, but it occasionally deviates from that schedule when addressing active attacks that target newly identified and serious vulnerabilities in its products. The patches released today fix security problems in Microsoft Exchange Server 2013, 2016 and 2019. Microsoft said its Exchange Online service — basically hosted email for businesses — is not impacted by these flaws. Microsoft credited researchers at Reston, Va. based Volexity for reporting the attacks. Volexity President Steven Adair told KrebsOnSecurity it first spotted the attacks on Jan. 6, 2021. Adair said while the exploits used by the group may have taken great skills to develop, they require little technical know-how to use and can give an attacker easy access to all of an organization's email if their vulnerable Exchange Servers are directly exposed to the Internet. "These flaws are very easy to exploit," Adair said. "You don't need any special knowledge with these exploits. You just show up and say ‘I would like to break in and read all their email.' That's all there is to…

Source

image
PrismHR, a company that sells technology used by other firms to help more than 80,000 small businesses manage payroll, benefits, and human resources, has suffered what appears to be an ongoing ransomware attack that is disrupting many of its services. Hopkinton, Mass.-based PrismHR handles everything from payroll processing and human resources to health insurance and tax forms for hundreds of "professional employer organizations" (PEOs) that serve more than two million employees. The company processes more than $80 billion payroll payments annually on behalf of PEOs and their clients. Countless small businesses turn to PEOs in part because they simplify compliance with various state payroll taxes, and because PEOs are the easiest way for small businesses to pool their resources and obtain more favorable health insurance rates for their employees. PrismHR has not yet responded to requests for comment. But in a notice sent to its PEO partners, PrismHR said it detected suspicious activity within its networks on Feb. 28, and that it disabled access to its platform for all users in an effort to contain the security incident. The company said the disruption has affected 200 PEO clients across the country, and that the most immediate concern is helping PEOs ensure their customers can process payrolls this week. "The outage may extend throughout today and possibly later, with potential impact on payroll processing," Prism explained in a template email it suggested PEO partners…

Source

image
Hackers behind previous iPhone jailbreak tools have released a jailbreak update based on a recently discovered and patched iPhone vulnerability. According to iPhone jailbreakers at UnC0ver, the tool allows users to take full control over unpatched iPhones. The jailbreak—which UnC0ver said works on iOS versions 11.0 to 14.3–exploits the kernel vulnerability CVE-2021-1782, one of three iOS flaws for which Apple released an emergency update, iOS 14.4, last month. At the time the company said the vulnerabilities potentially were being exploited in the wild. With the release of 14.4, a number of devices already will have been updated, which means the jailbreak won’t work. However, anyone with a device running 14.3 or earlier version of iOS can use the tool to hack into their iPhone, according to UnC0ver. UnC0ver shared its discovery on Twitter, announcing UnC0ver v6.0.0, after one of the group’s members, Pwn20wnd, who put out several teaser tweets about the imminent arrival of the jailbreak tool before its release. “Tweet your device model and why you will be jailbreaking your device on iOS 14 with the hashtag #unc0ver!” Pwn20wnd tweeted on Feb. 27 before releasing the tool, with other enthusiasts echoing the call to spread the news. What Exactly is a Jailbreak Tool? Jailbreak tools are software that take advantage of vulnerabilities in iOS to allow users root access and full control of their device. Jailbreaking bypasses DRM restrictions, allowing users to run unauthorized and…

Source

image
The ObliqueRAT malware is now cloaking its payloads as seemingly-innocent image files that are hidden on compromised websites. The remote access trojan (RAT), which has been operating since 2019, spreads via emails, which have malicious Microsoft Office documents attached. Previously, payloads were embedded into the documents themselves. Now, if users click on the attachment, they’re redirected to malicious URLs where the payloads are hidden with steganography. Researchers warn that this new tactic has been seen helping ObliqueRAT operators to avoid detection during the malware’s targeting of various organizations in South Asia — where the goal is to ultimately sends victims an email with malicious Microsoft Office documents, which, once clicked, fetch the payloads and ultimately exfiltrate various data from the victim. “This new campaign is a typical example of how adversaries react to attack disclosures and evolve their infection chains to evade detections,” said Asheer Malhotra, researcher with Cisco Talos, on Tuesday. “Modifications in the ObliqueRAT payloads also highlight the usage of obfuscation techniques that can be used to evade traditional signature-based detection mechanisms.” What is the ObliqueRAT Malware? The known activity for ObliqueRAT dates back to November 2019, part of a campaign targeting entities in Southeast Asia and uncovered by Cisco Talos researchers in February 2020. ObliqueRAT operators have always used emails with malicious attachments as an…

Source

image
A new version of the Ryuk ransomware is capable of worm-like self-propagation within a local network, researchers have found. The variant first emerged in Windows-focused campaigns earlier in 2021, according to the French National Agency for the Security of Information Systems (ANSSI). The agency said that it achieves self-replication by scanning for network shares, and then copying a unique version of the ransomware executable (with the file name rep.exe or lan.exe) to each of them as they’re found. “Ryuk looks for network shares on the victim IT infrastructure. To do so, some private IP ranges are scanned: 10.0.0.0/8; 172.16.0.0/16; and 192.168.0.0/16,” according to a recent ANSSI report. “Once launched, it will thus spread itself on every reachable machine on which Windows Remote Procedure Call accesses are possible.” The fresh version of Ryuk also reads through infected devices’ Address Resolution Protocol (ARP) tables, which store the IP addresses and MAC addresses of any network devices that the machines communicate with. Then, according to ANSSI, it sends a “Wake-On-LAN” packet to each host, in order to wake up powered-off computers. “It generates every possible IP address on local networks and sends an ICMP ping to each of them,” according to ANSSI. “It lists the IP addresses of the local ARP cache and sends them a [wake-up] packet.” For each identified host, Ryuk will then attempt to mount possible network shares using SMB, or Server Message Block, according to…

Source

image
Hackers painted a bullseye on the backs of online financial institutions in 2020 as the pandemic shuttered local branch offices and forced customers online. Over the past 12 months, incidents of adware nearly tripled. And, overall in 2020 researchers saw a slight drop in the number of mobile cyberattacks, according to a report released Monday by Kaspersky. In its’ _Mobile Malware Evolution 2020, _Kaspersky documents the current mobile threat landscape and identifies 2021 mobile security trends. It found that while mobile threats have dipped slightly over the past year, criminals have focused on the quality of mobile attacks versus mass infections. “We saw a decrease in the number of attacks in the first half of the year, which can be attributed to the confusion of the first months of the pandemic,” wrote Victor Chebyshev, a mobile security researcher at Kaspersky and author of the report. “The attackers had other things to worry about [and] were back at it in the second half.” What Are the Biggest Mobile Threats? Leading mobile threat types in 2020 is adware, accounting for 57 percent of attacks. Risk tools came in second, representing 21 percent of attacks. Trojan droppers and mobile trojans each represented 4.5 percent of attacks and SMS-based trojans represented 4 percent of actual mobile criminal activity. Risk tools, as Kaspersky calls them, are potentially dangerous or unwanted programs that are not inherently malicious, but are used to hide files or terminate…

Source